1 / 7

DTLS-ICE

DTLS-ICE. draft-thomson-rtcweb-dtls-ice-00. Exchanging signaling is hard, but it’s the quickest part of session setup Collecting candidates, connectivity checking, candidate nomination, DTLS handshake. Latency optimized. If you like latency, great! Ship it.

kieu
Download Presentation

DTLS-ICE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DTLS-ICE draft-thomson-rtcweb-dtls-ice-00

  2. Exchanging signaling is hard, but it’s the quickest part of session setup • Collecting candidates, connectivity checking, candidate nomination, DTLS handshake

  3. Latency optimized If you like latency, great! Ship it. Setup times on intercontinental calls ~1-2s Thanks to Dan and EKR who noted the flaws in this flow and spoiled a great argument with their “technically you don’t need to ask for a cookie” blahblah Layering is great… until you decide to optimize 76 RTT

  4. Neat layering is for chumps • Overload the 2RTT STUN connectivity check semantics on the 2RTT DTLS handshake • Check: s/STUNBinding/DTLSClientHello&ServerHello/ • Nominate: s/STUNBinding/DTLSFinished&Finished/ • Username fragment(s)/password packed into the cookie: • prevent/mitigate DoS • provide verification of consent • Remove two round trips

  5. Faster? How much? • DTLS depends on saving the handshake messages • Multiple handshakes started, only one completes • Not that much extra state over what ICE maintains 4 RTT

  6. Other things • Consent freshness can just use (D)TLS heartbeat [RFC 6520] • Mandate support of heartbeats and prohibit the use of peer_not_allowed_to_send • Dealing with some NATs can be helped by gathering peer reflexive candidates • Just use STUN for that, but in parallel

  7. Bonus slide: Too fast for IdP

More Related